{
  "id": "ingress",
  "title": "Configure Ingress for external routing",
  "url": "https://redis.io/docs/latest/operate/kubernetes/7.8.4/networking/ingress/",
  "summary": "Configure an ingress controller to access your Redis Enterprise databases from outside the Kubernetes cluster.",
  "content": "\n## Prerequisites\n\nBefore creating an Ingress, you'll need:\n\n - A RedisEnterpriseDatabase (REDB) with TLS enabled for client connections\n - A supported Ingress controller with `ssl-passthrough` enabled\n    - [Ingress-NGINX Controller](https://kubernetes.github.io/ingress-nginx/deploy/)\n        - Be sure to use the `kubernetes/ingress-nginx` controller and NOT the `nginxinc/kubernetes-ingress` controller.\n    - [HAProxy Ingress](https://haproxy-ingress.github.io/docs/getting-started/)\n    - To use Istio for your Ingress resources, see [Configure Istio for external routing]()\n\nMake sure your Ingress controller has `ssl-passthrough`enabled. This is enabled by default for HAProxy, but disabled by default for NGINX. See the [NGINX User Guide](https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough) for details. \n\n## Create an Ingress resource\n\n1. Retrieve the hostname of your Ingress controller's `LoadBalancer` service.\n\n    ``` sh\n    $ kubectl get svc \u003chaproxy-ingress | ingress-ngnix-controller\u003e \\\n                        -n \u003cingress-ctrl-namespace\u003e\n    ```\n\n    Below is example output for an HAProxy running on a K8s cluster hosted by AWS.  \n\n    ``` sh\n    NAME              TYPE           CLUSTER-IP    EXTERNAL-IP                                                              PORT(S)                      AGE   \n    haproxy-ingress   LoadBalancer   10.43.62.53   a56e24df8c6173b79a63d5da54fd9cff-676486416.us-east-1.elb.amazonaws.com   80:30610/TCP,443:31597/TCP   21m\n    ```\n\n1. Choose the hostname you will use to access your database (this value will be represented in this article with `\u003cmy-db-hostname\u003e`).  \n\n1. Create a DNS entry that resolves your chosen database hostname to the IP address for the Ingress controller's LoadBalancer.  \n\n1. Create the Ingress resource YAML file.  \n\n    ``` YAML\n    apiVersion: networking.k8s.io/v1\n    kind: Ingress\n    metadata:\n      name: rec-ingress\n      annotations:\n        \u003ccontroller-specific-annotations-below\u003e\n    spec:\n      rules:\n      - host: \u003cmy-db-hostname\u003e\n        http:\n          paths:\n          - path: /\n            pathType: ImplementationSpecific\n            backend:\n              service:\n                name: \u003cdb-name\u003e\n                port:\n                  name: redis\n    ```  \n\n    For HAProxy, insert the following into the `annotations` section:  \n\n    ``` YAML\n    kubernetes.io/ingress.class: haproxy\n     ingress.kubernetes.io/ssl-passthrough: \"true\"\n    ```\n\n    For NGINX, insert the following into the `annotations` section:  \n\n    ``` YAML\n    kubernetes.io/ingress.class: nginx\n    nginx.ingress.kubernetes.io/ssl-passthrough: \"true\"\n    ```  \n\n    The `ssl-passthrough` annotation is required to allow access to the database. The specific format changes depending on your Ingress controller and any additional customizations. See [NGINX Configuration annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) and [HAProxy Ingress Options](https://www.haproxy.com/documentation/kubernetes/latest/configuration/ingress/) for updated annotation formats.  \n\n## Test your external access  \n\nTo test your external access to the database, you need a client that supports [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) and [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication).  \n\n#### Test your access with Openssl  \n\n1. Get the default CA certificate from the `redis-enterprise-node` container on any of the Redis Enterprise pods.  \n\n    ``` sh\n    $ kubectl exec -it \u003cpod-name\u003e -c redis-enterprise-node \\\n                    -- cat /etc/opt/redislabs/proxy_cert.pem\n    ```  \n\n1. Run the following `openssl` command, substituting your own values for `\u003cmy-db-hostname\u003e`.  \n\n    ``` sh\n    $ openssl s_client \\\n      -connect \u003cmy-db-hostname\u003e:443 \\\n      -crlf -CAfile ./proxy_cert.pem \\\n      -servername \u003cmy-db-hostname\u003e\n    ```  \n\n    If you are connected to the database, you will receive `PONG` back, as shown below:  \n\n    ``` sh\n    ...\n     Verify return code: 0 (ok)\n    ---\n\n    PING\n    +PONG\n    ```  \n\n#### Test your access with Python  \n\nYou can use the code below to test your access with Python, substituting your own values for `\u003cmy-db-hostname\u003e` and `\u003cfile-path\u003e`.  \n\n``` python\nimport redis\n\nr = redis.StrictRedis(host='\u003cmy-db-hostname\u003e',\n              port=443, db=0, ssl=True,\n              ssl_ca_certs='/\u003cfile-path\u003e/proxy_cert.pem')\n\n\nprint(r.info())\n```\n\nYour output should look something like this:  \n\n``` sh\n$ /Users/example-user/Documents/Projects/test_client/venv3.7/bin/python \\\n    /Users/example-user/Documents/Projects/test_client/test_ssl.py\n{\n    'redis_version': '5.0.5',\n    'redis_git_sha1': 0,\n    'redis_git_dirty': 0,\n    'redis_build_id': 0,\n    'redis_mode': 'standalone',\n    'os': 'Linux 4.14.154-128.181.amzn2.x86_64 x86_64',\n    'arch_bits': 64,\n    'multiplexing_api': 'epoll',\n    'gcc_version': '7.4.0',\n    'process_id': 1,\n    'run_id': '3ce7721b096517057d28791aab555ed8ac02e1de',\n    'tcp_port': 10811,\n    'uptime_in_seconds': 316467,\n    'uptime_in_days': 3,\n    'hz': 10,\n    'lru_clock': 0,\n    'config_file': '',\n    'connected_clients': 1,\n    'client_longest_output_list': 0,\n    'client_biggest_input_buf': 0,\n    'blocked_clients': 0,\n    'used_memory': 12680016,\n    'used_memory_human': '12.9M',\n    'used_memory_rss': 12680016,\n    'used_memory_peak': 13452496,\n    'used_memory_peak_human': '12.82M',\n    'used_memory_lua': 151552,\n    'mem_fragmentation_ratio': 1,\n    'mem_allocator': 'jemalloc-5.1.0',\n    'loading': 0,\n    'rdb_changes_since_last_save': 0,\n    'rdb_bgsave_in_progress': 0,\n    'rdb_last_save_time': 1577753916,\n    'rdb_last_bgsave_status': 'ok',\n    'rdb_last_bgsave_time_sec': 0,\n    'rdb_current_bgsave_time_sec': -1,\n    'aof_enabled': 0,\n    'aof_rewrite_in_progress': 0,\n    'aof_rewrite_scheduled': 0,\n    'aof_last_rewrite_time_sec': -1,\n    'aof_current_rewrite_time_sec': -1,\n    'aof_last_bgrewrite_status': 'ok',\n    'aof_last_write_status': 'ok',\n    'total_connections_received': 4,\n    'total_commands_processed': 6,\n    'instantaneous_ops_per_sec': 14,\n    'total_net_input_bytes': 0,\n    'total_net_output_bytes': 0,\n    'instantaneous_input_kbps': 0.0,\n    'instantaneous_output_kbps': 0.0,\n    'rejected_connections': 0,\n    'sync_full': 1,\n    'sync_partial_ok': 0,\n    'sync_partial_err': 0,\n    'expired_keys': 0,\n    'evicted_keys': 0,\n    'keyspace_hits': 0,\n    'keyspace_misses': 0,\n    'pubsub_channels': 0,\n    'pubsub_patterns': 0,\n    'latest_fork_usec': 0,\n    'migrate_cached_sockets': 0,\n    'role': 'master',\n    'connected_slaves': 1,\n    'slave0': {\n        'ip': '0.0.0.0',\n        'port': 0,\n        'state': 'online',\n        'offset': 0,\n        'lag': 0\n    },\n    'master_repl_offset': 0,\n    'repl_backlog_active': 0,\n    'repl_backlog_size': 1048576,\n    'repl_backlog_first_byte_offset': 0,\n    'repl_backlog_histlen': 0,\n    'used_cpu_sys': 0.0,\n    'used_cpu_user': 0.0,\n    'used_cpu_sys_children': 0.0,\n    'used_cpu_user_children': 0.0,\n    'cluster_enabled': 0\n}\n\nProcess finished with exit code 0\n```\n",
  "tags": ["docs","operate","kubernetes"],
  "last_updated": "2026-04-08T12:21:52-07:00"
}